So someone managed to sneak in a malicious payload into a widely use JS library.
The payload is delivered in three stages, but basically it checks if copay (a bitcoin web/cordova app) exist as npm dependency and then inject a payload that would monkey-patch some function in the target app to send bitcoins private keys to remote server.